Down the Security Rabbithole, The BlogThis is a collection of my thoughts and ideas, and anything expressed here is unrelated to anything in real life and does not represent opinions of clients, employers or colleagues. If it feels a little bit like stream-of-consciousness, it probably is.

Thursday, September 26, 2013

Why Your Unified Identity May Just Be FaceBook

The age of "unified identity" is coming ... in fact many of you are already starting to get comfortable with it. Unified identity (sounds similar to SSO - Single Sign On) is a concept where you authenticate to a single place (FaceBook, let's just say) and then your identity is federated out to various other places. You've been using it for a while, probably, as have your family and friends.

Today we are seeing this happening all over the place, mainly in the consumer online world. You can now log into several of your favorite websites and applications simply using your FaceBook identity. FaceBook verifies you know your password and are likely you, then federates (tells the 3rd party) that it has verified your credentials. Again, this is primarily happening in the consumer space right now, and while it's becoming more pervasive it's still a nice to have because almost every site still offers you the ability to create your own username and password. But ... let's be honest here, the convenience you get of having a single password to remember that works for many other places is hard to pass up and many of us (your humble blogger here included) simply acquiesce.

Is this really a good idea?
The answer to the question of whether this type of activity is a good idea or bad idea lies in whether you believe that individual web identities are manageable (I do not), and whether you trust yet another website with managing your credentials properly over FaceBook (I believe this is likely a toss-up, with FaceBook getting the benefit of the doubt).

Look, you're not good at managing the hundreds of websites, applications, and places where you have to create yet another username and password pair. Believe me when I say this because I know I'm terrible at it and I have to be paranoid for a living. I can probably remember ~15-20 site/app and credential pairs relatively sanely while using reasonably complex passphrases and passwords. Anything beyond that and I'm forced to re-use ... yep, I do it too. Let's face it though, the truth is that if I have 1 username/password combination for all the sites I'll never go back to again that have nothing really private about me, I don't care and neither do you.

So let's look at FaceBook. They've had many years to increase security in their authentication mechanism and federation system. I won't even insult your intelligence by saying they're secure, but they work very hard at knowing who you are, and being sure it's actually you. Why? Simple - this is how they make money, by getting good tracking data on you. Double-edged sword folks.

Do you really want to give FaceBook the power?
Well the simple answer to this question is heck no. Although ...you have to ask yourself what privacy you're additionally giving away and if the juice is worth the squeeze. Are you willing to maintain that thin illusion of privacy by trying to manage potentially hundreds of logins and credentials? I'll save you the brain cycles - the answer is really no.

The other thing here, if I'm honest, is that FaceBook probably already tracks you on many of those sites anyway ... seriously. I'm not saying this makes it OK by any stretch of the imagination, but ... maybe... ?

Yes, we're inching towards a situation where the folks over at FaceBook are going to hold incredible analytical capabilities when it comes to who we are, what we do, what we buy, where we visit and just about every aspect of our digital lives in exchange for the convenience and added security of safe-guarding that information to a single central party over hundreds or thousands of organizations we know we don't trust.

So what if FaceBook gets compromised? Great question.

You probably use something similar to 1Password (if you're smart) to manage all of your web presence and logins ... right? What if they get compromised? That's just a risk we take, it's a calculated risk based on the fact that we know your passwords are stored in a database that requires your passphrase to unlock. Could someone insert malicious code into that application by compromising that password management group - of course. Will they? Maybe. The fact is I would rather have that single point of failure - if I can be reasonably sure it's well-defended - than hundreds of poorly defended ones.

The real issue is the future...
The real issue is this article right here - "FaceBook wants to make mobile payments easier with 'AutoFill'"...there are many that sprang up over night reporting on the same issue. The question isn't only whether FaceBook will become the de facto standard for Internet enabled identity, but how pervasive that identity will become. If you can not only log into, but also quickly pay using your FaceBook identity - would you subscribe? I'm guessing those of you who think like I do are saying to yourselves "Hell no!". The truth is that your family members, colleagues and friends can't wait to jump in on this.

Why you ask? Simple. It simplifies your life. As your life in the real world melts more and more into your digital persona services like FaceBook's "AutoFill" will becomes increasingly popular and useful. No doubt in my mind.

Alright, I'm worried
...and you should be, but probably not for the reasons you're thinking.
This trend troubles me because the war over your online and physical identity is being fought fiercely in the background and no one appears to be taking notice. Security professionals aren't noticing, privacy professionals aren't noticing in large parts - and I don't see or hear a lot of talk about this.

Can FaceBook swallow the world, and become a reasonably secure global federated identity provider? I think the chances of this are likely, and they've probably got this on their business plan because they're smart. Will Google keep trying to oppose them - heck yes. Should we all take notice and start to look at the way FaceBook manages our authentication and federates (including WHAT access it gives to your information to the party they federate out to) - absolutely.

I think this is the final frontier in the collision of our still-separate physical and digital lives. Once the identities melt together into a single federated FaceBook (or whom ever wins this war) identity, the game will again change.

You'll notice this post hasn't even begun to tackle the topic of authorization yet - that's another story for another time.

I'm curious what you think ... am I totally off my rocker? Chat me up on Twitter @Wh1t3Rabbit and let's hear what you think.

No comments:

About Me

Technology is pushing us along and becoming pervasive in our lives orders of magnitude faster than we can fully comprehend the ramifications of these changes.

Technology promises to change our lives, but at what price? The more heavily our daily lives rely on technology the greater the impact of a breach or a malicious attack. Our toasters can't kill us ... yet, but I suspect the day is coming.

As someone who has been involved in the defensive enterprise side of security for well over a decade, I emplore you to join me and focus our efforts on building better, more resilient systems which can not only support and enrich our lives, but also stand up to misuse and attack better.

Remember, prevention is a myth the snakeoil sales man sells. Real security comes from the ability to detect, respond, and resolve critical issues in a meaningful way.